I cracked it on my G5 - try a similar path and see if it helps:

Installing Symantec/Verisign Cert for CA/Personal Key/email Signing - Workaround on G5 for "password for storing credentials" issue:

Started with "Fingerprint" Lock as my Chosen Security (which I love)
1. Intentionally Failed Fingerprint Scan (or whatever your screen lock is, if none, set one) 5 Times
2. Logged in with "Google Credentials" to Bypass Screen Lock
3. Went back to Chrome on Symantec "Download/Install Cert" Page (See Below, worked same with Choosing PFX from File Browser, Google Drive, too).
4. "Install Certificate" Button on Symantec Page
5. Android Prompt Box for "Enter Certificate Password" (entered the password)
6. Android Prompt Pop-up to "Set Password or Pin Lock"
7. Set Password Lock (or PIN)
8. Android Pop-up "Certificate Installed"

Then I get a "Warning" in the Notification Bar, which drags down to give a Warning stating ""Network may be Monitored By an Unknown Third Party", which drills into a message stating "A Trusted Certificate on your Device is Allowing a Third Party to Monitor Your Internet Activity ..." ! (Although Possible, rarely implemented, and they will not have access to your Private Key, which is the Whole Point! Besides, they ALREADY have your MAC Address in the header of the TCP/IP Stack! Anyone know why they are warning on this?)

Now the LOUSY Part - Try to Switch Back to "Fingerprint Unlock" Method, but ONLY "PIN" and "Password" are Available! All other options, like my favorite "Fingerprint", are Greyed Out, with the message under each that they are "Turned Off by Administrator, Encryption Policy, or Credential Storage"! (long ugh) I don't have the specifics on how secure the bio-scan is for the Fingerprint Lock, but if it's Average or Better, then Fingerprint Scan is more Secure, or at Least "As Secure" - and Incredibly more convenient! What a drag...

But, I did Not have to Reboot/Restart. After "Clearing" the Certificate, it was Repeatable. Actually, on the Repeat, it only prompted for the Certificate Password, and did not prompt me for the Credential Storage Password again.

NOTE: I did try it again with Security->"Install from Phone Storage"->(Pick the *.pfx file in the File Browser, which included by Google Drive Folders since I have Drive Installed), instead of the "Install" from the Symantec Page, and had the same positive results.

_Really_ not Happy that I can't use Fingerprint Lock _and_ have a Certificate!

Anyone have a Logical Reason for the Restriction? A real PITA...